Category: Certified Ethical Hacker

Definitions

Trojans:A program that appears to be a legitimate program but in fact performs some malicious functions.

Backdoor: A secret entry point to the system that allows someone who is aware of the backdoor gain unauthorized access.

Viruses: A piece of malicious code attached a program that replicates by attaching itself to other programs.

Worm: A standalone program that propagates copies of itself across the network

Example

Covert channels are important for hiding activity from system owner when attacker communicate via his backdoor. Covert channel is a communication channel in a way that was not intended.

There are lots of reason for using covert channel but as an ethical hacker you should know that covert channel can be used directly communicating with the target to continue maintaining server or launching attack against other system via target. In this way attacker can hide himself from second target.

I am going to show a linux utiliy called ptunnel – tunnel TCP connections over ICMP echo request/reply packets.

From its man page:

ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets,
commonly known as ping requests and replies. At first glance, this might seem like a rather useless thing to do, but it can actually come
in handy in some cases. The following example illustrates the main motivation in creating ptunnel:

Setting: You’re on the go, and stumble across an open wireless network. The network gives you an IP address, but won’t let you send TCP or UDP
packets out to the rest of the internet, for instance to check your mail. What to do? By chance, you discover that the network will allow
you to ping any computer on the rest of the internet. With ptunnel, you can utilize this feature to check your mail, or do other things that
require TCP.

I believe the scenario author discussed was tricky since using a service you are not authorized to use is illegal. However one can argue that since ICMP is allowed by network, there is nothing illegal. My suggestion just play safe and not try in that scenario. Instead use this tool in your home network.

As an ethical hacker we footprint a system, scan it, enumerate users, and crack passwords, then got an access. We elevated privileged access and plant some rootkits. We now want to attack another server with ssh connection, however we want to cover ourselves. We are going to use ptunnel on the already compromised target so in this way system owner will only see lots of ICMP echo request and reply packets instead of actual commands we are running to communicate with the system. Consequently we will be hiding our activity from him/her. We will be launching attack against another server.

Installation

On a debian based system you can install ptunnel with this command:

apt-get install ptunnel

Note: We need to install ptunnel on the our computer (client computer) and also on the proxy computer (comprimisedTarget)

Action

On the compromisedTarget run ptunnel.

./ptunnel

Here compromisedTarget is the target we have access (already hacked). The second target is the one we want to attack.

On your local computer run following command:

sudo compromisedTarget -p 12345 -da secondTarget -dp 22

We are attacking ssh server of the secondTarget to gain access. There are lots of automated tools like Hydra, brutessh, sshater. You can configure them for a brute force attack. For simplicity I am using ssh command for manual tries to guess the password.

ssh -p 12345 localhost

Now we are sending our ssh packets through the ICMP tunnel that is established with the compromisedTarget. The owner of the compromisedTarget will see lots of ICMP echo request/reply packets but they are part of our ssh attack.

Today I would like to write about CEH module 5, that is Scanning. The last module was covered on this blog was Footprinting can be found here If you want to see all the modules written about CEH, you can click “Certified Ethical Hacker” section at the right side bar.

Even tough I will talk about some general scanning techniques, my focus will be on practical knowledge of nmap that is heavily is tested on your CEH exam. I will not go deep on the nmap, you can do lots of cool stuff with it, but my focus will be its general usage for the ceh exam.

NMAP

Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon used to discover hosts and services on a computer network, thus creating a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.

You need to know some basic options, scan types, IP addresses’ and ports’ formats in nmap.

OPTIONS

3 way hand shake will be performed on the connect scan, that is why this option is slow and will have lots of footprints on the target system.
Syn scan will only send SYN packets to targets. If the port is open then we will receive SYN+ACK other wise we will receive RST that indicates the port is closed…
Ping scan: This also known as ping sweep. Basically nmap will be pinging all the given machines and determine live hosts.
UDP scan: In case you want to see UDP ports, you need to run a UDP scan.

We covered the first module. I skipped the second one since you can read that Law section in your study book or any other place. I may have a post about it later.

Foot printing is one of the most important step in hacking. You need to know what your targets are capable of. Do they have IDS? Do they have firewall? What are the firewall rules? Who is their system admin? What is his e-mail address? …

There are lots of sites that you can gather info. My favorites are google, archive.com, PiPl.

Foot Printing Tools

For your CEH exam you need to know bunch of foot printing tools. I cannot mention all of them here, but I will tell the most important ones.

Google: Google and hacking tool? Yes, google can be used as a hacking tool. However, you need to know how to make effective searches.

I.) Phrase search (“”): By putting double quotes around a set of words, you are telling Google to consider the exact words in that exact order without any change. This is useful if you need exact strings in your search.

II.) Search within a specific website (site:): Google allows you to specify that your search results must come from a given website. For example, the query nessus site:nytimes.com will return pages about nessus but only from nytimes.com. This can be very useful if you already know what site can give best info about your target.

III.) Terms you want to exclude (-)
Attaching a minus sign immediately before a word indicates that you do not want pages that contain this word to appear in your results. The minus sign should appear immediately before the word and should be preceded with a space. For example, in the query anti-virus software, the minus sign is used as a hyphen and will not be interpreted as an exclusion symbol; whereas the query anti-virus -software will search for the words ‘anti-virus’ but exclude references to software.

IV) Fill in the blanks (*): The *, or wildcard, is a little-known feature that can be very powerful. If you include * within a query, it tells Google to try to treat the star as a placeholder for any unknown term(s) and then find the best matches. For example, the search Google * will give you results about many of Google’s products. Note that the * operator works only on whole words, not parts of words.

Whois: Whois important tools that can list very important information about the websites such as e-mail addresses, contact names, phones, expiration date of the websites. On your linux machine you can run whois domainName and get details of the domain. You can also use whois.com

Whatismyipaddress.com: This is a website that give details of a given IP.

Traceroute: With traceroute you can get some information about the network. Traceroute list the routers between you and the target. This can be really useful information if you lunch a networking attack against the router.

Nslookup/host/dig : All of these tools do same job: List ip addresses for a given domain name. It basically query.

Dig has more capacity besides giving you IP address of a domain (that can be done by pinging the server right? ).

There is a good article at slicehost website that cover some details of dig.

robot.txt: The Robot Exclusion Standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a website which is otherwise publicly viewable. Robots are often used by search engines to categorize and archive web sites, or by webmasters to proofread source code. The standard is unrelated to, but can be used in conjunction with, Sitemaps, a robot inclusion standard for websites.

As an ethical hacker, you can check if the webserver has a robot.txt file by looking www.example.com/robot.txt Some system admins think disallowing search engines searching directories may have sensitive information is a security measure that prevent others see these directories in search results. HOWEVER, by listing your sensitive directories in robot.txt will just make hackers to focus on these directories and worse thing you already saying where to attack…

I would not recommend using robot.txt. Instead secure these important directories by encrypting, or using access control methods.

As an ethical hacker always check robot.txt because there are lots system admins who does not know security very well.

Summary

Foot printing is an important phase of hacking. In this phase, the goal is get as much as information about the target. This information will be critical part of the attack vectors that be used in the next phases.

There are much more tools than what I covered here. You need to know them for the CEH exam. I will also cover more in later.

I have to blog my CEH experience otherwise I will not do it in the future. I promised myself that I will blog about CCNA exam and gave some tips about it and I wouldn’t. This time I will keep my promise to myself: time to write about CEH.

I passed CEH exam this Monday. According to EC Council (the organization who prepares CEH) The CEH Program certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective. The Certified Ethical Hacker certification will fortify the application knowledge of security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure. A Certified Ethical Hacker is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker.

Security guys who want to take a certification exam but cannot decide between CEH and Security+, I will recommend CEH because it covers similiar topics with Sec+ and it also helps you test your skills in security tools such as snort, hping2, nmap, etc.

I have to tell you that I find the exam a little unprofessional. There was a question that asking to interpret the output above but there was nothing at above! I called the Testing Center Staff and let her to note this and send it to the EC-Council. I also saw some typos. You prepare a world wide exam and make this type of mistakes? It just shows how much Ec-Council cares about the exam.

Anyway, let’s return the our topic.

There are two ways to take the exam: Self Study and Training.

If you have enough experience in the security field or took some computer security courses in the college, I would say Training would be waste of money. Instead spend your money to build a test enviroment. Lots of tools are covered in the CEH are free. You may not even need to buy another computer since you can use virtual machines. If you have Windows then use VMWare player. If you have mac or linux use Virtual box. All of them are free.

You have to fill out this form in order to be able to have self study option:

http://www.eccouncil.org/takeexam.htm

For more info about the exam, visit https://www.eccouncil.org/certification/certified_ethical_hacker.aspx

You will see lots of subjects if you check CEH exam in its offical website. I will try to cover most of them in this blog rest of the year.

After finding enough information about the target, next step would be scanning target hosts.

Phase2: Scanning

In this phase attacker wants to collect as much as information possible. He uses scanners like nmap, hping, nessus, etc.

The main goal in this phase is learning networking enviroment of the victim.

Phase3: Gaining Access

After having enough information about his target, attacker wants to have a control on the victim’s machine. In this phase he needs to understand what he has from previous phases. For example if he see port 135-139 and 445 are open, there would be a chance to connect the machine by openning a null session.

Phase 4: Maintaining Access

Hackers usually want to keep their access with their victims. In order to do this, they plant rootkits, trojans, open backdoors.

Phase 5: Covering Tracks

I think this is the hardest part for a hacker because modern operating systems and applications logs everything login failure, succesfull access, IPs, times….

This is actually a good thing for “ethical hackers” because we want to track intruders in case of an attack. Of course there are some ways to cover your tracks as much as possible but what I am saying none of these methods can gurantee you that you cover all of your tracks.

This module is just for some general background information. We will have much more fun with next modules (well not the next one but after the next- next one is about the laws.)